Getting Started Tutorials

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Tutorial 4: Creating Authorization Policies

This section contains the following sections:

 

Overview

Once the necessary application resources, identities, application roles, and actions are defined, you can make use of them in authorization policies. An authorization policy specifies who can access a resource and what rights (actions) they have when they do so.

 

Scenario

This tutorial shows how to define two authorization policies that secure access to the patient roster. The policy details are provided in Table 5-1.

Table 5-1 Authorization Policies
Policy
Description
Authorization Policy 1
This policy will allow any user in the AdmissionsOperators group to view and edit the patient roster. Since the roster is a JSP page, the required access rights (actions) are POST and GET.
Effect: Grant
Actions: GET, POST
Subjects: AdmissionsOperators
Resources: roster_index.jsp
Authorization Policy 2
This policy allows any user in the HealthProviders role to view the roster. Any user assigned to this role will have view access.
Effect: Grant
Actions: GET
Subjects: HealthProviders role
Resources: roster_index.jsp

 

Create Authorization Policy 1

This policy will allow any user in the AdmissionsOperators group to view and edit the patient roster. Since Harry Hopkins is a member of this group, he will be able to manage the roster.

  1. Select the AdmissionsSystem application in the left pane. Then click on the Resources tab as shown in Figure 5-1.
    2. Figure 5-1 Selecting Resource Tab


    Selecting Resource Tab

  2. Select the roster_index.jsp resource. Then click New in the lower right part of the Authorization Policies tab.
  3. On the New Authorization Policy dialog, select the Grant radio button and do the following:
    1. On the Actions tab, make sure All is selected in the Select Action Group field. Then select POST and GET in the list of Available Actions and transfer them to the Selected Actions list.
    2. On the Resources tab, clear the resources checkbox and expand the resources tree. Then select and transfer roster_index.jsp to the Selected Resources list.
    3. On the Subjects tab, select the Group radio button and make sure ParkerIdentities displays in the Identity Directories field. Then select AdmissionsOperators in the Available Subjects list and transfer it to the Selected Subjects list.
  4. Click OK. The resulting policy will display in the Policies list as shown in Figure 5-2.
    5. Figure 5-2 Authorization Policy 1


    Authorization Policy 1

 

Create Authorization Policy 2

This policy will allow the HealthProviders role to view the patient roster.

  1. Picking up from step two in the previous section, make sure the roster_index.jsp resource is selected and click New to open the New Authorization Policy dialog.
  2. On the New Authorization Policy dialog, select the Grant radio button and do the following:
    1. On the Actions tab, make sure All is selected in the Select Action Group field. Then select GET in the list of Available Actions and transfer it to the Selected Actions list.
    2. On the Resources tab, clear the resources checkbox and expand the resources tree. Then select and transfer roster_index.jsp to the Selected Resources list.
    3. On the Subjects tab, select the Role radio button. Then select the HealthProviders role and transfer it to the Selected Subjects list.
  3. Click OK. The resulting policy will display in the Policies list as shown in Figure 5-3.
    4. Figure 5-3 Authorization Policy 2


    Authorization Policy 2

Tip: Note that, by itself, authorization policy 2 does not allow any particular users, because as yet the HealthProviders roles is not assigned to any users or groups. In the next tutorial, this will be accomplished using a role policy.

 

Save Your Work

If autosave is not enabled, save your work as follows:

  1. Click Save & Distribute as shown in Figure 5-4.
    2. Figure 5-4 Save Changes


    Save Changes

  2. On the Save and Distribute window, make sure No, just save changes is selected and click OK.
    3. Note: In an actual deployment, you could select the Yes, save changes and distribute option to both save the role policy and distribute it to the SSM for immediate enforcement in the secured application.

 

Summary

In this tutorial we defined two authorization policies that restrict access to the patient roster.


  Back to Top       Previous  Next